1

2
3
4
Logical Constructs – The policy model manages the entire fabric, including the
infrastructure, authentication, security, services, applications, and diagnostics. Logical
constructs in the policy model define how the fabric meets the needs of any of the
functions of the fabric.
The diagram is an illustration of the logical model hierarchy. The top of the ACI logical
model is represented by the ‘root’ (or universe). The next hierarchical separation is
the Tenant. Each tenant will have at least one or more Private L3. Forwarding
constructs are separated from connectivity constructs – security & location separate
them out.

5
Management Information Model – The fabric comprises the physical and logical
components as recorded in the Management Information Model (MIM), which can be
represented in a hierarchical management information tree (MIT). The information
model is stored and managed by processes that run on the APIC. Similar to the OSI
Common Management Information Protocol (CMIP) and other X.500 variants, the
APIC enables the control of managed resources by presenting their manageable
characteristics as object properties that can be inherited according to the location of
the object within the hierarchical structure of the MIT.
Each node in the tree represents a managed object (MO) or group of objects. MOs
are abstractions of fabric resources. An MO can represent a concrete object, such as
a switch, adapter, or a logical object, such as an application profile, endpoint group, or
fault. The diagram provides an overview of the MIT.
The hierarchical structure starts with the policy universe at the top (Root) and
contains parent and child nodes. Each node in the tree is an MO and each object in
the fabric has a unique distinguished name (DN) that describes the object and locates
its place in the tree.

6
7
A tenant is a container for policies that enable an administrator to exercise domain-
based access control. The system provides the following four kinds of tenants:
•  User tenants are defined by the administrator according to the needs of users.
They contain policies that govern the operation of resources such as applications,
data bases, web servers, network-attached storage, virtual machines, and so on.
•  The common tenant is provided by the system but can be configured by the fabric
administrator. It contains policies that govern the operation of resources accessible
to all tenants, such as firewalls, load balancers, Layer 4 to Layer 7 services,
intrusion detection appliances, and so on.
•  The infrastructure tenant is provided by the system but can be configured by the
fabric administrator. It contains policies that govern the operation of infrastructure
resources such as the fabric VXLAN overlay. It also enables a fabric provider to
selectively deploy resources to one or more user tenants. Infrastructure tenant
polices are configurable by the fabric administrator.
•  The management tenant is provided by the system but can be configured by the
fabric administrator. It contains policies that govern the operation of fabric
management functions used for in-band and out-of-band configuration of fabric
nodes. The management tenant contains a private out-of-bound address space for
the APIC/fabric internal communications that is outside the fabric data path that
provides access through the management port of the switches. The management
tenant enables discovery and automation of communications with virtual machine
controllers.

8
The primary elements that the tenant contains are: filters, contracts, outsides, bridge
domains and application network profiles that contain EPGs. Entities in the tenant
inherit its policies. A tenant can contain one or more VRF’s or contexts; each context
can contain multiple bridge domains (BD).
•  Tenants can be totally isolated from one another or can share resources
•  Can represent an actual tenant, organization, domain, or just for convenience in
grouping policies
•  Represents a unit of isolation for policy resolution

9
10
A context defines a layer 3 address domain. All of the end-points within the layer 3
domain must have unique IP addresses because it is possible to directly forward
packets between these devices should the policy allow it. It is equivalent to a “VRF” in
the networking world. A tenant may contain multiple contexts.

11
12
13
The bridge domain defines the unique Layer 2 MAC address space and a Layer 2
flood domain (if flooding is enabled).
•  Each bridge domain must be linked to a context and have at least one subnet.
•  Bridge domains can span multiple switches.
•  A bridge domain can contain multiple subnets, but a subnet is contained within a
single bridge domain.

14
15
ACI Fabric is host routed but if there is no layer 3 header?

L2 Unknown Unicast

Determines the behavior of L2 Unknown Unicast traffic in a BD. It has two

modes with “Proxy” being the default option.

•  Flood

-  Packet is flooded in the BD.

•  Proxy

-  Sent to Spine Proxy.

-  On Spine its either known or unknown.
-  If its known, its forwarded based on the lookup.
-  If its unknown it will be dropped.

Unknown IP Multicast

16
17
While a context defines a unique IP address space, that address space can consist of
multiple subnets. Those subnets are defined in one or more bridge domains that
reference the corresponding context.
•  Subnets can span multiple EPGs.
•  Subnets can overlap with other subnets that are associated with other contexts.
•  Each bridge domain must be linked to a context and have at least one subnet.
•  Subnets can span multiple EPGs; one or more EPGs can be associated with one
bridge domain or subnet.

18
19
20
End points – Objects that connect to the fabric. They have an IPv4 address, location
(always behind a Leaf) and attributes.
End Point Group – A logical entity containing a collection of end-points that have
common policy requirements.
•  EPGs are a collection of similar end-points representing an application tier or set of
services.
•  EPGs can represent other entities, including: outside networks, network services,
security devices, network storage, etc.
•  Provide a logical grouping for objects which require similar policy.

For example, an EPG could be the group of components that make up an

applications web tier. End-points themselves are defined using: NIC, vNIC, IP
address, or DNS name with extensibility for future methods of identifying application
components. EPG is like objects in your ACLs, but apply policy globally.

21
EPGs separate application addressing from its mapping and policy enforcement on
the network. An EPG could be the group of components that make up an applications
web tier.
•  End-points themselves are defined using: NIC, vNIC, IP address, (or DNS name
with extensibility for future methods of identifying application components.)
•  EPGs are used to define where policy is applied. EPGs act as a single policy
enforcement point for a group of contained objects.
•  Policy enforcement is independent of IP addressing.
The slide illustrates different servers, 4 serving-up https & 4 others serving-up http, all
in different subnets. Since these 8 servers reside in the same EPG, they can talk to
each other, not contracts necessary, no enforcement. This simplifies configuration of
these policies and ensures consistency.

Additional policy is not applied based on subnet, but rather the EPG itself; means that
IP addressing changes to the end-point itself do not necessarily change its policy, as
is commonly the case in traditional networks (the exception here is an EP defined by
its IP.)

22
IP Address / Subnet is currently only available for L3 outside EPG’s.
In a future release internal EPG’s will be classifiable by Subnet.

23
APIC manages pushing of policy to leaf enforcement point when EPs connect. Based
on policies set to ‘immediate’ or ‘on demand’, APIC will push the policy to the Leaf
where it is rendered into the hardware.
Applying Policy to End-Points:
1.  End Point attaches to fabric
2.  APIC detects End Point and derives its EPG
•  Designated as source EPG
3.  APIC pushes required policy to leaf switch
•  Policies require both source and destination EPG

Policy pushed to Leaf nodes based on Resolution Immediacy

•  Immediate – All policies (VLAN / NVGRE / VXLAN bindings, Contracts, Filters)
pushed to leaf node upon Hypervisor pNIC attachment. LLDP or OpFlex used to
resolve Hypervisor to Leaf node attachment.
•  On Demand: Policies only pushed to leaf node upon pNIC attachment AND vNIC
association with port-group (EPG)
Policy programming in Leaf node hardware based on Instrumentation Immediacy
•  Immediate: Policies programmed in Policy CAM once received by APIC as defined
by Resolution Immediacy Policy
•  On Demand: Polices programmed in hardware Policy CAM only when reachability
is learnt through data path

24
The slide illustration top example would be 100 entries in a white-list security model.
White List: By default users have access to nothing and are granted access to the
things they need.
Black List: By default users have access to everything and their access is removed
from the things that they do not need.

The enforcement boundary is no longer on the IP but the source and destination
EPGs; reducing TCAM requirements from 100 entries to 5 (5 ACLs).
TCAMs can be an expensive component of switch hardware and therefore tends to
lower policy-scale or raise hardware costs. Within the ACI fabric, policy is applied
based on the EPG rather than the EP itself. Within the ACI Fabric, sources and
destinations become one entry for a given EPG, this reduces the number of total
entries required.

25
26
Application Network Profiles (ANP) – An application profile (fvAp) models
application requirements. An application profile is a convenient logical container for
grouping EPGs and the Contracts (policies) that define the communication between
them.
Application profiles contain one or more EPGs. Modern applications contain multiple
components. For example, an e-commerce application could require a web server, a
database server, data located in a storage area network, and access to outside
resources that enable financial transactions. The application profile contains as many
(or as few) EPGs as necessary that are logically related to providing the capabilities
of an application.
EPGs can be organized according to one of the following:
•  The application they provide (such as sap in the example in Appendix A)
•  The function they provide (such as infrastructure)
•  Where they are in the structure of the data center (such as DMZ)
•  Whatever organizing principle that a fabric or tenant administrator chooses to use

27
An Application Network Profile (ANP) is a collection of the EPGs and their
relationship (connections), and the policies that define those connections. ANPs are
designed to be modeled in a logical fashion which matches the way applications are
designed and deployed. The configuration and enforcement of the policies and
connectivity is then handled by the system itself via the IFC rather than an
administrator.
Provider consumer relationships define application connectivity in application terms.
All objects can provide, consume, or both. In the diagram illustrates the following:
•  EPG-WEB is a provider for EPG-Users
•  EPG-WEB and EPG-APP are both providing and consuming services from each
other
•  EPG-DB is a provider for EPG_APP.
The arrows do not represent traffic going across your wires, rather, they represent the
provider-consumer relationship –which can be unidirectional or bi-directional.
The current model defines policies based on the BOX that enforces the given policy.
Load-balancers enforce something different from firewalls & routers etc..
Contracts define the policy based on EPGs and enforcement is distributed – done at
the Leaf. But we have central control of all Policies in APIC; it pushes out policies
where needed, on demand.
Steps:
1. Create of EPGs
2. Create policies which define connectivity and include: (Permit, Deny, Log, Redirect)
3. Create connection points between EPGs utilizing policy constructs known as

28
Contracts define communication between source and destination EPGs. Contracts
contain a group of subjects which are a combination of filter, an action, & a label.
The Label is an optional identifier, when used labels allow for more complex definition
of relationships within the policy model.

In the slide we have TCP Port 80 as the filter, Permit is the Action with Label Web
Access. All this is contained in the Subject, the Contract contains one or more
Subjects.

29
Policy encompasses traffic handling, quality of service, security monitoring and
logging
Current policy options supported:
•  Permit the traffic
•  Deny/Block the traffic (Only available with a Taboo contract)
•  Redirect the traffic
•  Mark the traffic

Note: ACI roadmap includes support for Copy and Log capabilities.

30
The IS-IS routing protocol allows for a two-level hierarchy of routing information.
There can be multiple Level 1 areas interconnected by a contiguous Level 2
backbone. A router can belong to Level 1, Level 2, or both. The Level 1 link-state
database contains information about that area only. The Level 2 link-state database
contains information about that level as well as each of the Level 1 areas. An L1/L2
router contains both Level 1 and Level 2 databases. It advertises information about
the L1 area to which it belongs into L2. Each L1 area is essentially a stub area.
Packets destined for an address that is outside of the L1 area are routed to the
closest L1/L2 router to be forwarded on to the destination area. Routing to the closest
L1/L2 router can lead to sub-optimal routing when the shortest path to the destination
is through a different L1/L2 router.
Route leaking helps reduce sub-optimal routing by providing a mechanism for leaking,
or redistributing, L2 information into L1 areas. By having more detail about inter-area
routes, an L1 router is able to make a better choice with regard to which L1/L2 router
to forward the packet.

Contracts between tenants: https://techzone.cisco.com/t5/Application-Centric/

Configuring-Inter-Tenant-Communication/ta-p/717605

31
ACI is a white-list model – assumes we know the communication that should take
place. Traditional network is a black-list model – ACI can implement black-list via the
implementation of Taboos. A black-list model explicitly denies or allows this-that etc..
Credit-card service providers are black-list.
Analogy: If a customer misses payment, SP does not cancel the card, simply
DENIES until bill is paid à then opens access.

32
33
34  
Level3 is default class/queue

35
36
"DSCP Target" is remarking

37
38
39
40
41